The massively growing number of network-connected devices has pressed standards bodies and government entities to publish security guidelines and recommendations. According to IHS Markit, the number of IoT devices throughout the world will increase from 27 billion in 2017 to 125 billion by 2030.
In response to this IoT expansion, recommendations continue to emerge around IoT device security, to persuade manufacturers to act more responsibly in the development and deployment of their devices. This growing standards movement indicates that globally, we are waking up to the risks associated with connected devices.
New technical specifications, labeled TS 103 645, were just released by the European Telecommunications Standards Institute (ETSI), an independent standardization organization for the telecommunications industry in Europe. These security guidelines and specifications govern a wide range of Internet-connected consumer devices, including toys, baby monitors, smart cameras, televisions, wearable health trackers and home automation systems.
Global IoT security recommendations and guidelines are mounting, including:
- ENISA – baseline security recommendations for IoT in the context of critical information infrastructures
- UK Department for Digital, Culture, Media and Sport – Secure by Design: Improving the cyber security of consumer Internet of Things report
- IoT Security Foundation – IoT Security Compliance Framework
- GSMA – IoT Security Guidelines and Assessment
- California IoT legislation (Security Bill SB-327)
- FDA pre– and post-market guidance for medical devices
Cyber criminals look for the path of least resistance. If a hacker gains access into an IoT device, like a Wi-Fi-enabled thermostat, they can shut off an air conditioner when the outside temperature is 100 degrees. While that is dangerous enough, it could be just the beginning. By gaining backdoor access through the thermostat, a cyberattack can gain access to the home’s network and attack all the other connected devices, like phones, laptops, cameras and appliances.
The ETSI TS 103 645 specification focuses on consumer devices that connect to network infrastructure. It provides guidance on implementing security practices, for organizations that develop and manufacture consumer IoT devices. TS 103 645 urges connected device makers to ban the use of default passwords for connected consumer devices, and to make it easier for users to delete their personal data. The specification recommends other standard security practices, including:
- Having good password practices — no default passwords
- Having a means for managing vulnerabilities
- Keeping software on devices updated and notifying consumers of these updates
- Ensuring secure communication of sensitive data using encryption
- Ensuring the secure storage and management of keys
- Ensuring integrity of software on devices by using approaches such as secure boot
- Making sure devices are resilient to outages
These are standard security practices that all manufacturers should be using. As a society, and more importantly, as consumers of these devices, we should expect and require these security protections, as the risks of not having them are just too great.
While we think IoT is just beginning, the tens of billions of devices already in industrial plants, businesses and our homes means the risks associated with IoT devices without proper security implementation will have a major impact. In fact, a global survey of 700 organizations conducted by ReRez Research on behalf of DigiCert found organizations that have had IoT security mishaps are experiencing losses as high as $34 million. According to the survey, the top four IoT concerns ranked by respondents are security (82%), privacy (78%), cost (73%), and regulation (72%).
Many of the security provisions identified in TS 103 645 can be accomplished with better results, through the appropriate use of public key infrastructure (PKI).
- Authenticating connections with digital certificates provide a scalable approach with unique credentials for each device or user, as opposed to standard practices that often are replete with default passwords and rely on users for strong security.
- Certificates that encrypt data in motion provide secure transmission — another standard application of PKI.
- Code signing is ensuring the integrity of any package sent to a device.
It’s great to see these standards emerging — and hopefully we will see more adoption from IoT device manufacturers. However, if IoT device manufacturers sidestep basic security practices in an effort to bring products to market faster, those decisions will ultimately come back to haunt them. Those manufacturers will quickly learn from the market that it’s much better to act responsibly with security in the development and deployment of devices, rather than trying to add security, after the devices are in the hands of consumers. And retrofitting devices with security after the fact can lead to unplanned costs that will only mount if government regulation increases due to industry inaction.